Corazon Dance Icon

Privacy Policy

Last Updated: December 29, 2024

Table of Contents

  1. Introduction and Platform Overview
  2. Platform Role and Age Requirements
  3. Information We Collect
  4. How We Use and Process Information
  5. Payment Processing and Financial Data
  6. Data Sharing and Access
  7. Data Security and Protection
  8. Social Media Integration and Logins
  9. Data Retention and Deletion
  10. User Rights and Controls
  11. International Data Transfers
  12. Updates to Privacy Policy
  13. Contact Information
  14. Legal Basis for Processing
  15. Additional Rights and Information

1. Introduction and Platform Overview

This Privacy Policy ("Policy") governs the privacy practices of Corazon OÜ, a company registered under the laws of Estonia with registration number 16780313, having its registered office at Pirita tee 26f-11, Tallinn, Harjumaa 12011, Estonia (hereinafter referred to as "Company," "we," "us," or "our"). This Policy describes how we collect, use, process, and disclose your information across our digital properties, including our website located at https://corazon.dance and all related applications and services (collectively, the "Platform").

1.1 Platform Description

The Company operates the Platform as both a Software as a Service (SaaS) platform enabling organizations to manage their activities, courses, events, and services, and as a marketplace connecting service providers with users seeking healthy lifestyle activities. Through our Platform, we facilitate event management, course administration, community engagement, service provider discovery, activity bookings and registrations, payment processing, and content management and distribution.

1.2 Scope and Application

This Policy applies to all users of our Platform, whether accessing our services as an organization utilizing our SaaS capabilities or as an individual participating in activities facilitated through our marketplace. We are committed to protecting your privacy and ensuring the security of your personal information in accordance with applicable data protection laws and regulations.

2. Platform Role and Age Requirements

2.1 Age Restrictions and Requirements

The Platform is designed and intended for use by individuals who are eighteen (18) years of age or older. Users are solely responsible for ensuring compliance with these age requirements, and by accessing the Platform, each user represents and warrants that they meet the applicable age requirements. The Company does not independently verify the age of users during the registration process and relies on the information provided by users.

2.2 Minor Access and Parental Responsibility

Access to the Platform by individuals between thirteen (13) and seventeen (17) years of age ("Minors") is subject to the following conditions:

2.2.1 The Minor's parent or legal guardian bears sole responsibility for:

(a) Determining the appropriateness of Platform access for the Minor; (b) Supervising the Minor's use of the Platform; (c) Ensuring compliance with all Platform terms and conditions; (d) Any consequences arising from the Minor's use of the Platform.

2.2.2 Parents or legal guardians who permit Minors to use the Platform should notify the Company by sending an email to [email protected] with:

(a) The parent or legal guardian's full legal name and contact information; (b) The Minor's full legal name and date of birth; (c) Specific Platform services the Minor is permitted to access.

2.2.3 The Company reserves the right to:

(a) Limit or restrict access to certain Platform features or services; (b) Implement additional safeguards as deemed appropriate; (c) Modify access requirements to ensure compliance with applicable laws.

2.3 Prohibition on Collection of Children's Data

The Company expressly prohibits the use of the Platform by children under the age of thirteen (13) years. If the Company becomes aware of any user under the age of thirteen (13), the Company shall:

2.3.1 Suspend access to the associated account;

2.3.2 Notify the registered contact email address;

2.3.3 Delete all personal information associated with the account if proper parental verification is not received within fourteen (30) calendar days of notification;

2.3.4 Maintain records of such incidents as required by applicable law.

2.4 Platform Role and Responsibilities

The Company serves as both a Software as a Service (SaaS) provider and marketplace facilitator, maintaining distinct responsibilities in each capacity:

2.4.1 As a SaaS Provider, the Company:

(a) Provides and maintains the technical infrastructure for business operations; (b) Implements appropriate security measures for data protection; (c) Facilitates secure payment processing through authorized providers; (d) Ensures platform availability and performance within specified parameters.

2.4.2 As a Marketplace Facilitator, the Company:

(a) Enables discovery and connection between service providers and users; (b) Processes and secures marketplace transactions; (c) Maintains appropriate records of marketplace activities; (d) Implements verification procedures for service providers.

2.4.3 The Company explicitly disclaims responsibility for:

(a) Verification of user age or identity; (b) The actual provision of services listed on the Platform; (c) Direct supervision of activities organized through the Platform; (d) Personal interactions between users and service providers; (e) Content generated by users or service providers, except as required by law; (f) Ensuring the accuracy of information provided by users, including age and identity information.

3. Information We Collect

3.1 Categories of Information

The Company collects and processes information that users provide directly and information that is automatically generated through Platform usage. The scope and nature of information collected varies based on the user's role and interaction with our Platform, as detailed in the following sections.

3.2 Information Provided by Organizations

Organizations utilizing the Platform's services provide various categories of information necessary for business operations, including:

3.2.1 Business Identification Information:

The Company collects essential business information including legal business name, registration numbers, tax identification numbers, and other official business documentation necessary for legal compliance and Platform operations.

3.2.2 Contact and Administrative Information:

Organizations must provide primary contact details, including business address, telephone numbers, email addresses, and designated representatives' information. This includes the identification and contact information for authorized personnel who will manage the organization's Platform presence.

3.2.3 Service-Related Information:

Organizations provide detailed information about their services, including course descriptions, event details, pricing structures, schedules, and availability. This encompasses all content necessary for presenting and managing their offerings through the Platform.

3.2.4 Financial Information:

Organizations provide payment processing information, banking details, and other financial documentation necessary for processing transactions and managing Platform-related financial operations.

3.3 Information Provided by Individual Users

Individual users of the Platform provide personal information necessary for account creation and service access, including:

3.3.1 Personal Identification Information:

Users provide their full name, email address, and other identification information necessary for account creation and Platform usage.

3.3.2 Contact Information:

Users provide their telephone number, mailing address, and preferred contact methods for Platform communications and service delivery.

3.3.3 Transaction Information:

Users provide payment information, booking preferences, and other details necessary for processing Platform transactions and service arrangements.

3.4 Automatically Collected Information

The Company automatically collects certain information through user interaction with the Platform, including:

3.4.1 Technical Information:

The Platform automatically collects device identifiers, IP addresses, browser type and version, operating system details, and other technical information necessary for Platform operation and security.

3.4.2 Usage Information:

The Platform records information about user interactions, including pages visited, features accessed, time spent on various Platform sections, and patterns of Platform usage.

3.4.3 Location Information:

The Platform may collect location data through various means, including IP address geolocation and, where explicitly authorized by users, device location services. Users maintain control over location data collection through their device settings and Platform preferences.

3.5 Cookies and Tracking Technologies

The Company employs cookies and similar tracking technologies to enhance Platform functionality and user experience. These technologies collect and process information about Platform usage, user preferences, and interaction patterns. Users maintain control over cookie settings through their browser preferences, although limiting cookie usage may affect Platform functionality.

3.6 Third-Party Information Sources

The Company may receive information about users from third-party sources, including:

3.6.1 Payment processors and financial service providers who facilitate Platform transactions;

3.6.2 Identity verification services used to validate user information;

3.6.3 Social media platforms when users choose to connect their accounts;

3.6.4 Public sources of business and professional information for organizational accounts.

3.7 Information Accuracy and Updates

Users bear responsibility for ensuring the accuracy and currency of all information provided to the Platform. The Company reserves the right to verify provided information and request updates or additional documentation as necessary for Platform operation and legal compliance, but does not assume responsibility for independently verifying the accuracy of user-provided information.

4. How We Use and Process Information

4.1 Data Controller and Processor Status

The Company generally acts as the "data controller" under European data protection laws in relation to personal information processed through the Platform. However, in cases where the Company has entered into a data processing agreement with a business customer, the business customer serves as the "data controller" and the Company acts as the "data processor," processing data solely in accordance with the business customer's documented instructions.

4.2 Legal Basis for Processing

The Company processes personal information based on one or more of the following legal grounds:

4.2.1 Contract Performance: Processing necessary for executing our contractual obligations to users.

4.2.2 Legal Obligations: Processing required for compliance with legal requirements.

4.2.3 Legitimate Interests: Processing that serves the Company's legitimate business purposes.

4.2.4 Consent: Processing based on explicit user consent, where required by law.

4.3 Organization Services Processing (SaaS Platform)

The Company processes information for organizations utilizing the Platform's SaaS capabilities in the following manner:

4.3.1 Business Operations Management:

(a) Account and profile administration, including user authentication and access control; (b) Course and class scheduling, including resource allocation and availability management; (c) Student and client relationship management, including enrollment and attendance tracking; (d) Staff and instructor coordination, including scheduling and performance monitoring; (e) Document and content management, including storage and distribution; (f) Facility and resource management, including space allocation and maintenance.

4.3.2 Financial Operations Processing:

(a) Payment processing and transaction management; (b) Subscription billing and recurring payment administration; (c) Revenue tracking and financial reporting; (d) Commission calculations and disbursement; (e) Refund processing and dispute resolution; (f) Tax documentation and compliance reporting.

4.3.3 Analytics and Marketing Operations:

(a) Business performance analytics and reporting; (b) Usage pattern analysis and trend identification; (c) Marketing campaign management and effectiveness tracking; (d) Communication preference management; (e) Promotional content development and distribution; (f) Market analysis and competitive positioning.

4.4 Marketplace Functions Processing

The Company processes information to facilitate marketplace operations, including:

4.4.1 Service Delivery Functions:

(a) Event and course discovery and recommendation; (b) Registration and booking management; (c) Payment processing and transaction security; (d) Review and feedback system administration; (e) User-to-user communication facilitation; (f) Service delivery tracking and verification.

4.4.2 Platform Security Operations:

(a) Fraud monitoring and prevention systems; (b) Account security and access control; (c) Platform safety measure implementation; (d) Terms and policies enforcement; (e) Legal compliance verification and monitoring.

4.4.3 User Support Services:

(a) Inquiry response and ticket management; (b) Issue resolution and problem tracking; (c) Technical support provision; (d) Account assistance and maintenance; (e) Service optimization and improvement.

4.5 Additional Processing Activities

4.5.1 Content Management Operations:

(a) Testimonial posting and management (with explicit consent); (b) Prize draws and competition administration; (c) User-generated content moderation; (d) Educational material development and distribution; (e) Service documentation maintenance.

4.5.2 Communications Management:

(a) Administrative notification distribution; (b) Service update communications; (c) Policy change notifications; (d) Marketing communications (subject to consent); (e) Feedback request management; (f) Support response coordination.

4.5.3 Legal and Compliance Operations:

(a) Legal request processing and response; (b) Regulatory compliance monitoring; (c) Contract enforcement activities; (d) Harm prevention measures; (e) Rights protection enforcement.

4.5.4 Business Intelligence Processing:

(a) Data analysis and research activities; (b) Usage pattern identification and analysis; (c) Service improvement implementation; (d) Performance measurement and optimization; (e) User experience enhancement.

4.6 Data Usage Rights and Limitations

4.6.1 The Company maintains the right to use and store information in aggregated and anonymized form for analytical and statistical purposes.

4.6.2 The Company will not use identifiable personal information without appropriate legal basis or user consent.

4.6.3 Users maintain the right to opt-out of marketing communications at any time through their account settings or by contacting the Company.

4.6.4 All data processing activities remain subject to applicable privacy laws and user rights as detailed in Section 10 (User Rights and Controls) of this Policy.

5. Payment Processing and Financial Data

5.1 Payment Processing Services

The Company utilizes Stripe as its designated payment processing service provider for all Platform transactions. The Company does not directly collect, store, process, or maintain credit card information or any other sensitive payment data. All payment processing activities, including data security measures and compliance with payment card industry data security standards (PCI DSS), are conducted exclusively through Stripe's secure payment infrastructure.

5.2 Company Role in Payment Processing

5.2.1 The Company's role in payment processing is limited to:

(a) Facilitating the connection between users and Stripe's payment services; (b) Maintaining records of completed transactions as provided by Stripe; (c) Managing administrative aspects of payment operations; (d) Facilitating communication regarding payment status and issues.

5.2.2 The Company maintains transaction records solely for the purposes of:

(a) Platform operation and service delivery; (b) Business accounting requirements; (c) Tax compliance obligations; (d) Customer service and support.

5.3 Payment Data Handling

5.3.1 All payment data is processed directly by Stripe. The Company does not:

(a) Process or store credit card information; (b) Handle sensitive payment authentication data; (c) Maintain payment security infrastructure; (d) Monitor payment processing systems.

5.3.2 Users are directed to Stripe's secure payment interface for all payment processing activities.

5.4 Financial Record Retention

5.4.1 The Company retains only those financial records necessary for:

(a) Legal compliance requirements; (b) Business accounting purposes; (c) Transaction verification; (d) Service delivery confirmation.

5.4.2 Financial records are retained only for the duration necessary to fulfill legal obligations and legitimate business purposes.

5.5 Third-Party Payment Services

5.5.1 Users acknowledge and agree that:

(a) All payment processing is conducted through Stripe; (b) Use of the Platform's payment features requires acceptance of Stripe's terms of service and privacy policy; (c) Payment information is provided directly to Stripe, not to the Company; (d) Stripe maintains responsibility for payment data security and processing.

5.5.2 The Company bears no responsibility for:

(a) The security of payment information provided to Stripe; (b) Stripe's data collection and processing activities; (c) Service interruptions or failures in Stripe's payment systems; (d) Technical issues arising from payment processing through Stripe.

5.6 Financial Information Access

5.6.1 Users may access their transaction history and payment information through:

(a) Their Platform account interface; (b) Direct interaction with Stripe's services; (c) Customer support inquiries to the Company.

5.7 Payment Disputes

5.7.1 Payment disputes are handled primarily through Stripe's dispute resolution processes.

5.7.2 The Company will cooperate with Stripe, users, and relevant financial institutions in resolving payment disputes by:

(a) Providing available transaction records; (b) Confirming service delivery status; (c) Responding to legitimate information requests; (d) Facilitating communication between relevant parties.

6. Data Sharing and Access

6.1 Legal Framework for Data Sharing

The Company shares personal information in accordance with applicable data protection laws and regulations. Such sharing occurs only under specific circumstances that align with one or more of the following legal bases: the performance of our contract with users, compliance with legal obligations, pursuit of legitimate business interests, or with user consent where required by law.

6.2 Categories of Data Recipients

6.2.1 Service Providers and Business Partners

The Company may share information with trusted service providers and business partners who assist in Platform operations, including:

(a) Cloud storage and hosting providers who maintain our technical infrastructure; (b) Analytics providers who help us understand Platform usage and performance; (c) Customer support services that assist in resolving user inquiries; (d) Marketing services providers who assist in communication delivery; (e) Professional advisors, including lawyers, auditors, and insurers.

6.2.2 Platform Users

The Company facilitates necessary information sharing between Platform users to enable service delivery:

(a) Organizations receive access to user information necessary for providing their services; (b) Individual users receive access to relevant organization information for service evaluation and engagement; (c) Both parties receive transaction-related information necessary for service fulfillment.

6.3 Information Sharing Circumstances

6.3.1 Business Transactions

The Company may share information in connection with business transactions, including:

(a) Merger, acquisition, or sale of Company assets; (b) Corporate restructuring or reorganization; (c) Financing or securitization transactions.

6.3.2 Legal Requirements

The Company may share information when required by law, including:

(a) Response to legal process or government requests; (b) Compliance with regulatory obligations; (c) Protection of Company rights and property; (d) Prevention of fraud or illegal activities; (e) Protection of user or public safety.

6.4 Access Controls and Restrictions

6.4.1 Organizational Access

Organizations utilizing the Platform receive access to:

(a) Their business profile and administrative settings; (b) Customer data related to their services; (c) Transaction records for their activities; (d) Analytics related to their Platform usage; (e) Communication records with their customers.

6.4.2 Individual User Access

Individual users maintain access to:

(a) Their personal profile and account settings; (b) Their booking and transaction history; (c) Their communication records with service providers; (d) Their payment and billing information; (e) Their Platform usage history.

6.5 Data Protection Responsibilities

6.5.1 User Responsibilities

Users acknowledge and accept responsibility for:

(a) Maintaining the confidentiality of their account credentials; (b) Controlling access to their account and information; (c) Ensuring appropriate use of shared information; (d) Complying with applicable data protection laws when handling information received through the Platform.

6.5.2 Organization Responsibilities

Organizations using the Platform acknowledge and accept responsibility for:

(a) Implementing appropriate measures to protect user information they receive; (b) Using shared information only for authorized purposes; (c) Complying with applicable data protection laws in their jurisdiction; (d) Managing their own data sharing and protection practices.

6.6 Information Security Notice

The Company implements basic technical measures for Platform operation but does not guarantee the security of information shared between users. Users acknowledge that:

6.6.1 Information shared through the Platform may be accessed and stored internationally;

6.6.2 The Company cannot control how recipients may use or further share received information;

6.6.3 Users should exercise caution when sharing sensitive information through the Platform;

6.6.4 The Company bears no responsibility for the protection of information once it has been legitimately shared with other users or third parties.

6.7 User Discretion in Information Sharing

Users maintain sole responsibility for their information sharing decisions and should:

6.7.1 Exercise judgment when sharing information through the Platform;

6.7.2 Consider the necessity of any information before sharing;

6.7.3 Understand that shared information may be further processed by recipients;

6.7.4 Recognize that the Company cannot control or restrict information once legitimately shared.

7. Data Security and Protection

7. Data Security and Protection

7.1 Security Infrastructure Overview

The Company implements security measures through a combination of trusted third-party service providers and standard security features available through our development framework. Our security infrastructure primarily relies on FastComet for hosting security and Cloudflare for additional protection layers. These providers maintain their own comprehensive security measures and protocols, which form the foundation of our Platform's security infrastructure.

7.2 Platform Security Implementation

The Company's Platform security is built upon Laravel Jetstream and Filament authentication systems, which provide industry-standard security features including:

7.2.1 User Authentication:

(a) Secure password hashing and storage; (b) Two-factor authentication capabilities where enabled; (c) Automated session management and timeout procedures; (d) Protected authentication endpoints and routes.

7.2.2 Access Controls:

(a) Role-based access control implementation; (b) User permission management; (c) Session validation and verification; (d) Secure password reset procedures.

7.3 Infrastructure Security Providers

7.3.1 FastComet Hosting Security:

The Company utilizes FastComet's hosting services, which include:

(a) Server-level security protocols; (b) Infrastructure maintenance and updates; (c) Network security measures; (d) Physical data center security.

7.3.2 Cloudflare Protection:

The Platform employs Cloudflare's free tier security services, which provide:

(a) Basic DDoS protection; (b) SSL/TLS encryption; (c) Web application firewall capabilities; (d) Traffic filtering and threat detection.

7.4 User Security Responsibilities

Users of the Platform maintain important security responsibilities, including:

7.4.1 Account Security:

(a) Creating and maintaining secure passwords; (b) Protecting access to their account credentials; (c) Ensuring the security of their personal devices; (d) Maintaining the confidentiality of their authentication information.

7.4.2 Access Management:

(a) Logging out of their accounts when using shared devices; (b) Promptly reporting any suspected unauthorized access; (c) Regularly reviewing their account activity; (d) Updating contact information for security notifications.

7.5 Security Limitations and Disclaimers

The Company provides this transparent disclosure regarding the current state of Platform security:

7.5.1 The Company primarily relies on third-party security providers and standard framework security features;

7.5.2 Advanced security features such as continuous monitoring, automated threat detection, and sophisticated encryption systems are not currently implemented beyond those provided by our third-party service providers;

7.5.3 The Company makes no representations or warranties about the absolute security of the Platform;

7.5.4 Users acknowledge and accept the inherent risks of internet-based services and data transmission.

7.6 Security Incident Response

In the event of a security incident:

7.6.1 The Company will investigate and respond to security incidents within its control;

7.6.2 Users will be notified of security breaches as required by applicable law;

7.6.3 The Company will cooperate with hosted infrastructure providers in their incident response procedures;

7.6.4 The Company will take reasonable steps to address and remediate identified security issues.

7.7 Future Security Enhancements

The Company maintains a commitment to improving Platform security over time:

7.7.1 Security measures will be enhanced as the Platform grows and resources permit;

7.7.2 Additional security features may be implemented based on risk assessment and user needs;

7.7.3 Users will be notified of significant security improvements that affect Platform usage;

7.7.4 The Company will continue to evaluate and implement appropriate security measures as they become available through our service providers.

8. Social Media Integration and Logins

8.1 Social Authentication Framework

The Company currently provides Facebook authentication as a social login option to enhance Platform accessibility and user experience. The Company maintains plans to implement additional authentication providers, including Google, in future Platform updates. Users may choose to utilize these social authentication options or maintain separate Platform credentials at their discretion.

8.2 Facebook Platform Integration

8.2.1 Integration Scope and Governance

The Company's integration with Facebook's platform is governed by and subject to:

(a) Facebook's Platform Terms (https://developers.facebook.com/terms); (b) Facebook's Data Policy (https://www.facebook.com/policy.php); (c) The Company's Developer Terms of Service; (d) All applicable data protection laws and regulations.

The Company maintains strict compliance with these governing frameworks in all aspects of Facebook platform integration and data handling.

8.2.2 Facebook Features Implementation

The Company utilizes specific Facebook platform features including:

(a) Facebook Login for user authentication and account creation; (b) Facebook Events API for event synchronization and management; (c) Associated APIs necessary for core functionality implementation.

8.3 Data Collection Through Facebook Integration

8.3.1 Authentication Data Collection

When users choose to authenticate through Facebook, the Company collects:

(a) Basic Profile Information: (i) Name as registered with Facebook; (ii) Email address associated with Facebook account; (iii) Public profile picture when available; (iv) Facebook user identifier.

8.3.2 Events Data Collection

For users utilizing events integration, the Company collects:

(a) Event Information: (i) Event details including title, description, and scheduling data; (ii) Event location information; (iii) Event cover images and media; (iv) Event privacy settings and configurations; (v) Event administrative permissions.

8.4 Platform Access Hierarchy

8.4.1 Administrative Access Levels

The Company maintains three distinct administrative access levels:

(a) Super Administrators: (i) Possess complete Platform administrative capabilities; (ii) Manage administrative user permissions; (iii) Override standard Platform restrictions when necessary.

(b) Administrators: (i) Manage Platform operations within assigned scope; (ii) Access enhanced Platform features; (iii) Assist with user support and management.

(c) Organization Managers: (i) Manage specific organizational accounts; (ii) Access organization-specific features and data; (iii) Maintain limited administrative capabilities within their organization.

8.5 Data Processing and Usage

8.5.1 Authentication Processing

The Company processes Facebook authentication data to:

(a) Create and maintain user accounts; (b) Verify user identity and permissions; (c) Facilitate secure Platform access; (d) Maintain user session management.

8.5.2 Events Processing

The Company processes Facebook events data to:

(a) Import and synchronize events within the Platform; (b) Maintain event data accuracy and currency; (c) Process event updates and modifications; (d) Facilitate event discovery and participation.

8.6 Data Usage Restrictions

The Company explicitly prohibits:

8.6.1 Unauthorized collection or use of Facebook platform data;

8.6.2 Sharing of Facebook-sourced data with unauthorized parties;

8.6.3 Use of Facebook platform data for purposes not explicitly disclosed in this policy;

8.6.4 Storage of Facebook platform data beyond necessary retention periods.

8.7 User Control and Rights

Users maintain comprehensive rights regarding their Facebook-connected data, including:

8.7.1 The right to disconnect Facebook integration at any time;

8.7.2 Control over specific data sharing permissions;

8.7.3 The right to request deletion of Facebook-sourced data;

8.7.4 The ability to modify Facebook integration preferences.

8.8 Future Integration Developments

The Company maintains development plans for additional social media integrations, including Google authentication. All future integrations will:

8.8.1 Implement appropriate privacy and security measures;

8.8.2 Require explicit user consent for implementation;

8.8.3 Maintain compliance with applicable platform policies;

8.8.4 Preserve user privacy rights and control options.

8.9 Compliance and Monitoring

The Company maintains ongoing compliance monitoring for Facebook platform integration, including:

8.9.1 Regular review of platform policies and requirements;

8.9.2 Timely implementation of required policy updates;

8.9.3 Monitoring of data usage and access patterns;

8.9.4 Regular auditing of integration compliance status.

9. Data Retention and Deletion

The Company maintains comprehensive data retention and deletion policies designed to protect user privacy while ensuring compliance with legal requirements and business operations. This section details our approach to data retention, deletion, and anonymization practices.

9.1 General Retention Principles

The Company retains personal information only for the duration necessary to fulfill the purposes outlined in this Privacy Policy, comply with legal and regulatory requirements, and support legitimate business needs. When the Company no longer requires personal information for these purposes, such information shall be either deleted or anonymized, unless specific retention is required by law. The decision between deletion and anonymization shall be made based on the nature of the data, technical feasibility, and potential future analytical value.

9.2 Active Account Data Retention

9.2.1 Organization Account Data

The Company maintains different retention periods for various categories of organization data, as follows:

(a) Course-Related Information: (i) Active course data shall be retained for the duration of the course plus one (1) year following course completion; (ii) Student records shall be maintained in accordance with applicable educational requirements; (iii) Course materials shall be retained while the course remains active; (iv) Historical performance data shall be retained for a period of up to three (3) years.

(b) Event-Related Information: (i) Active event details shall be maintained until event completion; (ii) Attendee lists shall be retained for three (3) months following event completion; (iii) Event media shall be maintained for six (6) months post-event; (iv) Historical event data shall be retained for up to one (1) year.

(c) Service and Product Information: (i) Active listings shall be maintained while publicly available; (ii) Transaction records shall be retained in accordance with applicable legal requirements; (iii) Customer interaction records shall be maintained for two (2) years; (iv) Service history shall be retained for up to three (3) years.

(d) General Business Information: (i) Account information shall be maintained while the account remains active; (ii) Financial records shall be retained in accordance with applicable tax laws; (iii) Marketing materials shall be maintained while in active use; (iv) Analytics data shall be retained for up to three (3) years.

9.2.2 Individual User Account Data

The Company maintains the following retention periods for individual user data:

(a) Account information shall be retained while the account remains active; (b) Purchase and booking history shall be maintained for three (3) years; (c) Payment information shall be retained in accordance with applicable legal requirements; (d) Activity logs shall be maintained for one (1) year; (e) Communication history shall be retained for two (2) years.

9.3 Account Deletion Process

9.3.1 Organization Account Deletion

Upon deletion of an organization account, the Company shall:

(a) Mark all active offerings for removal from the Platform; (b) Issue notifications to affected users regarding service discontinuation; (c) Retain required legal and financial records in accordance with applicable laws; (d) Remove personal data within thirty (30) days of account deletion; (e) Archive business data in accordance with legal requirements and retention schedules.

9.3.2 Individual Account Deletion

Upon deletion of an individual user account, the Company shall:

(a) Remove personal information within thirty (30) days of account deletion; (b) Maintain active bookings and purchases until their completion; (c) Retain historical transaction records as required by applicable laws; (d) Anonymize communication history while maintaining record integrity; (e) Anonymize public content, including reviews and comments, while preserving Platform functionality.

9.4 Data Anonymization and Archival

9.4.1 Anonymization Process

When the Company chooses to anonymize rather than delete data, the process shall:

(a) Remove or modify all personally identifiable information; (b) Ensure the anonymization process is irreversible; (c) Maintain the statistical value of the data where appropriate; (d) Preserve necessary business intelligence capabilities.

9.4.2 Data Archival Procedures

In circumstances where immediate deletion is not feasible or advisable, such as in backup archives, the Company shall:

(a) Maintain secure storage of the information with appropriate access controls; (b) Isolate archived data from active processing systems; (c) Implement deletion procedures when technically feasible; (d) Apply anonymization techniques where appropriate; (e) Maintain documentation of archival decisions and procedures.

9.5 Retention Period Modifications

The Company reserves the right to modify retention periods based on:

9.5.1 Changes in legal or regulatory requirements;

9.5.2 Evolution of business needs and practices;

9.5.3 Technological advancements in data management;

9.5.4 Changes in data protection standards and best practices.

9.6 Documentation and Compliance

The Company shall maintain comprehensive records of:

9.6.1 All anonymization and deletion activities;

9.6.2 Modifications to retention periods;

9.6.3 Archival decisions and procedures;

9.6.4 Compliance with data subject requests regarding retention and deletion.

10. User Rights and Controls

10.1 Fundamental Data Protection Rights

The Company acknowledges and respects the fundamental rights of users regarding their personal information. Each user maintains specific rights concerning the collection, processing, and storage of their personal information, as detailed in this section. The Company is committed to facilitating the exercise of these rights and shall respond to all legitimate requests in accordance with applicable data protection laws.

10.2 Specific User Rights

All users of the Platform maintain the following specific rights regarding their personal information:

10.2.1 Right to Access: Users maintain the right to obtain confirmation regarding whether their personal information is being processed and to access such information in a structured, commonly used format. The Company shall provide copies of personal information upon request, subject to verification of identity.

10.2.2 Right to Rectification: Users may request the correction of inaccurate personal information or the completion of incomplete personal information maintained by the Company. Such corrections shall be implemented without undue delay following verification.

10.2.3 Right to Erasure: Users may request the deletion of their personal information under specific circumstances, including when the information is no longer necessary for the purposes for which it was collected. The Company shall comply with such requests unless specific legal obligations require continued retention.

10.2.4 Right to Restrict Processing: Users maintain the right to restrict the processing of their personal information under certain circumstances, including when they contest the accuracy of the information or when processing is unlawful but the user opposes erasure.

10.2.5 Right to Data Portability: Users may request their personal information in a structured, commonly used, and machine-readable format, and have the right to transmit this information to another controller without hindrance from the Company.

10.2.6 Right to Object: Users maintain the right to object to the processing of their personal information under certain circumstances, including processing for direct marketing purposes.

10.3 Regional Rights and Protections

10.3.1 European Economic Area (EEA) and UK Residents

Residents of the EEA and United Kingdom maintain additional rights under the General Data Protection Regulation (GDPR) and UK GDPR, respectively. These rights include:

(a) Comprehensive access to personal data processed by the Company; (b) The right to erasure ("right to be forgotten"); (c) The right to withdraw consent for processing; (d) The right to lodge complaints with supervisory authorities.

EEA residents may file complaints with their local data protection authority, as listed at: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm

10.3.2 Swiss Residents

Swiss residents maintain specific rights under Swiss data protection law and may file complaints with the Federal Data Protection and Information Commissioner (FDPIC) at: https://www.edoeb.admin.ch/edoeb/en/home.html

10.4 Exercise of Rights

10.4.1 Request Procedures

Users seeking to exercise their rights regarding personal information shall:

(a) Submit requests through designated channels, preferably via email to [email protected]; (b) Provide sufficient information for identity verification; (c) Clearly specify the right being exercised; (d) Include relevant details to facilitate request processing.

10.4.2 Response Timeline

The Company shall:

(a) Acknowledge receipt of requests within five (5) business days; (b) Process legitimate requests within thirty (30) days of receipt; (c) Notify users if additional time is required for complex requests; (d) Provide reasons for any request denials.

10.5 Account Management and Control

The Company provides specific mechanisms for users to manage their Platform presence and personal information. Users maintain the ability to:

10.5.1 Access and modify their basic account information directly through their Platform profile interface;

10.5.2 Request comprehensive data export by submitting a request to [email protected];

10.5.3 Initiate account deletion procedures by contacting [email protected].

The Company shall process all such requests within thirty (30) days of receipt, subject to appropriate identity verification procedures.

10.6 Privacy Control Development

The Company maintains an active development roadmap for enhanced privacy controls and user management features. These planned enhancements include:

10.6.1 Communication Management: (a) Advanced communication preference settings; (b) Enhanced marketing preference controls; (c) Comprehensive email subscription management portal; (d) Granular notification control options.

10.6.2 Data Management: (a) Self-service data export functionality; (b) Automated account deletion processes; (c) Advanced data sharing controls; (d) Enhanced privacy setting configurations.

10.6.3 Cookie Management: (a) Comprehensive cookie preference center; (b) Granular cookie control options; (c) Enhanced cookie consent management; (d) Cookie preference persistence capabilities.

10.7 Interim Request Processing

Until the implementation of enhanced privacy features is complete, users may submit all privacy-related requests to [email protected]. The Company shall process the following types of requests through this channel:

10.7.1 Communication Preferences: (a) Updates to communication settings; (b) Marketing communication opt-out requests; (c) Subscription management modifications; (d) Notification preference adjustments.

10.7.2 Data Management Requests: (a) Personal data export requests; (b) Account deletion initiation; (c) Data sharing limitation requests; (d) Cookie preference modifications.

10.7.3 Privacy Inquiries: (a) Data protection concerns; (b) Privacy setting adjustments; (c) Cookie-related inquiries; (d) General privacy questions.

10.8 Request Processing Standards

The Company maintains strict standards for processing all privacy-related requests:

10.8.1 Timeline Commitment: (a) Initial acknowledgment within five (5) business days; (b) Complete processing within thirty (30) days; (c) Status updates for complex requests requiring additional time; (d) Prompt notification of request completion.

10.8.2 Verification Requirements: (a) Identity confirmation through established procedures; (b) Authority verification for representative requests; (c) Additional verification steps as needed; (d) Secure communication channels for sensitive information.

10.9 Verification Requirements

The Company implements verification procedures to ensure that rights are exercised only by authorized individuals. These procedures may include:

10.9.1 Identity verification through government-issued identification;

10.9.2 Confirmation through registered contact information;

10.9.3 Additional security questions or verification steps as deemed necessary;

10.9.4 Special procedures for authorized representatives exercising rights on behalf of users.

10.10 Limitations and Exceptions

The Company may limit or deny rights requests under certain circumstances, including:

10.10.1 When granting the request would infringe upon the rights of others;

10.10.2 When retention is required by law or legitimate business purposes;

10.10.3 When requests are manifestly unfounded or excessive;

10.10.4 When the Company cannot verify the identity of the requesting party.

10.11 Future Enhancements

The Company maintains ongoing development of privacy controls and user rights management systems. Planned enhancements include:

10.11.1 Advanced communication preference settings;

10.11.2 Enhanced data export capabilities;

10.11.3 Automated account deletion processes;

10.11.4 Expanded privacy control options.

10.12 Documentation and Records

The Company maintains comprehensive records of:

10.12.1 All rights requests received and processed;

10.12.2 Response timelines and actions taken;

10.12.3 Verification procedures implemented;

10.12.4 Any exceptions or limitations applied.

11. International Data Transfers

11.1 Organizational Structure and Data Processing

The Company, Corazon OÜ, is established and registered in Estonia, maintaining its principal place of business at Pirita tee 26f-11, Tallinn, Harjumaa 12011, Estonia. The Company conducts its development and operational activities through its office in Croatia. As a growing startup, the Company relies on established third-party service providers for core infrastructure and processing capabilities to ensure reliable and secure service delivery.

11.2 Service Providers

11.2.1 Primary Hosting Provider

The Company utilizes FastComet as its primary hosting and data storage provider. FastComet maintains established data centers with standard security protocols and compliance measures. The Company relies on FastComet's infrastructure and security measures for the protection of data stored and processed through their services. Users acknowledge that their information may be stored and processed in any of FastComet's data center locations in accordance with FastComet's standard operating procedures.

11.2.2 Search and Performance Services

The Company employs Algolia's services to enhance Platform search functionality and performance. This arrangement necessitates the processing of certain data elements by Algolia within their established infrastructure. The Company's use of Algolia's services is governed by Algolia's standard terms of service and data processing agreements.

11.3 Current Data Protection Measures

The Company currently implements basic data protection measures through its reliance on established service providers and standard development frameworks. These measures include:

11.3.1 Standard security features provided by our hosting platform;

11.3.2 Basic access controls for administrative functions;

11.3.3 Standard encryption protocols provided by our service providers;

11.3.4 Regular software updates and maintenance.

11.4 Service Provider Relationships

The Company's relationships with its service providers are governed by:

11.4.1 Standard service agreements provided by each provider;

11.4.2 Standard data processing terms where applicable;

11.4.3 Provider privacy policies and security measures;

11.4.4 Applicable terms of service and use.

11.5 Future Enhancement Plans

As the Company grows, we are committed to enhancing our data protection and transfer security measures. Planned future improvements include:

11.5.1 Development of comprehensive data protection policies;

11.5.2 Implementation of enhanced monitoring and security measures;

11.5.3 Establishment of formal staff training programs;

11.5.4 Enhancement of documentation and compliance procedures.

11.6 User Rights

Users maintain specific rights regarding their personal information, including:

11.6.1 The right to be informed about international transfers of their data;

11.6.2 The right to inquire about current security measures and processing locations;

11.6.3 The right to obtain basic information about our service providers;

11.6.4 The right to object to specific data processing activities where applicable.

11.7 Current Compliance Status

The Company maintains basic compliance with applicable data protection requirements through:

11.7.1 Reliance on established service providers' compliance programs;

11.7.2 Standard contractual terms with service providers;

11.7.3 Basic record-keeping of processing activities;

11.7.4 Commitment to ongoing compliance improvements.

11.8 Data Transfer Acknowledgment

Users acknowledge and agree that by using the Platform:

11.8.1 Their information may be transferred to and processed in various jurisdictions where our service providers maintain operations;

11.8.2 Data protection standards may vary between jurisdictions;

11.8.3 The Company relies on established service providers' security measures;

11.8.4 Transfer mechanisms and protections will be enhanced as the Company grows.

12. Updates to Privacy Policy

12.1 Policy Modification Authority

The Company reserves the right to modify, amend, or update this Privacy Policy at any time in its sole discretion to reflect changes in our privacy practices, Platform functionality, applicable laws and regulations, or other relevant factors. Such modifications become effective immediately upon posting the updated Privacy Policy on the Platform, and users' continued use of the Platform following any modifications constitutes acceptance of such changes.

12.2 Reasons for Updates

The Company may update this Privacy Policy for various reasons, including but not limited to:

12.2.1 Changes in Platform Services: Modifications to reflect new or modified Platform features, functionalities, or service offerings that affect personal information processing;

12.2.2 Legal and Regulatory Compliance: Updates necessary to ensure continued compliance with evolving data protection laws, regulations, and industry standards;

12.2.3 Operational Changes: Adjustments reflecting modifications to our internal practices, procedures, or organizational structure;

12.2.4 Security Enhancements: Changes related to implementation of new security measures or modification of existing security practices;

12.2.5 User Feedback: Improvements based on user suggestions, concerns, or feedback regarding privacy practices.

12.3 Notification of Changes

The Company shall communicate Privacy Policy updates to users through appropriate channels:

12.3.1 Last Updated Date: Each version of the Privacy Policy shall display a "Last Updated" date at the beginning of the document, enabling users to identify the current version;

12.3.2 Material Changes: For significant modifications that substantially affect user rights or Company obligations, the Company shall provide notice through one or more of the following methods:

(a) Prominent notices or announcements on the Platform; (b) Direct email notifications to registered users; (c) Platform notifications upon user login; (d) Other appropriate communication channels.

12.4 User Rights Regarding Updates

Users maintain specific rights regarding Privacy Policy updates:

12.4.1 Review Period: Users shall have the opportunity to review any modified terms before they become effective;

12.4.2 Account Decisions: Users may decide whether to continue using the Platform under modified terms or terminate their account if they do not agree with the changes;

12.4.3 Information Requests: Users may request information about specific changes and their implications for personal information processing.

12.5 Prior Versions

The Company maintains records of previous Privacy Policy versions for reference purposes. Users may request access to prior versions by contacting [email protected]. While the current version governs the relationship between users and the Company, access to previous versions enables users to understand historical changes in privacy practices.

12.6 Implementation of Changes

When implementing Privacy Policy updates, the Company shall:

12.6.1 Allow reasonable time between announcement and implementation of material changes when practicable;

12.6.2 Maintain clear records of modification dates and substance of changes;

12.6.3 Ensure internal procedures align with updated policy requirements;

12.6.4 Provide necessary clarification to users regarding implementation of changes.

12.7 Continuation of Service

Users' continued access to or use of the Platform following any Privacy Policy modification constitutes acceptance of the updated terms. Users who do not agree with the modified terms should discontinue Platform use and may terminate their account in accordance with the Platform's standard termination procedures.

12.8 Special Circumstances

The Company may implement immediate Privacy Policy changes without prior notice when:

12.8.1 Required by law or regulation;

12.8.2 Necessary to address immediate security concerns;

12.8.3 Responding to emergency situations;

12.8.4 Making corrections to errors or inaccuracies.

12.9 User Responsibilities

Users bear responsibility for:

12.9.1 Regularly reviewing the Privacy Policy for updates;

12.9.2 Understanding how modifications affect their rights and obligations;

12.9.3 Making informed decisions about continued Platform use;

12.9.4 Maintaining current contact information to receive update notifications.

12.10 Documentation of Changes

The Company maintains comprehensive records of Privacy Policy modifications, including:

12.10.1 Detailed changelog of modifications;

12.10.2 Justification for material changes;

12.10.3 Dates of implementation and notification;

12.10.4 User communications regarding updates.

13. Contact Information

13.1 Company Details

Corazon OÜ maintains its registered office and principal place of business in Estonia. All official communications and legal notices shall be directed to:

Corazon OÜ Registration Number: 16780313 Pirita tee 26f-11 Tallinn, Harjumaa 12011 Estonia

13.2 Primary Contact Channels

The Company provides multiple channels for user communication and inquiries. Users may contact the Company through the following primary methods:

13.2.1 General Inquiries and Support: For general questions, support requests, and Platform-related inquiries, users should contact: Email: [email protected]

13.2.2 Technical Support: For technical issues and Platform functionality concerns, users should contact: Email: [email protected]

13.2.3 Urgent Matters: For issues requiring immediate attention during business hours, users may contact: Telephone: +41 76 571 49 31 Email: [email protected]

13.3 Response Times and Expectations

The Company maintains the following response time standards for different types of inquiries:

13.3.1 Standard Communications: The Company strives to respond to general inquiries within five (5) business days of receipt.

13.3.2 Urgent Matters: The Company endeavors to provide initial response to urgent inquiries within forty-eight (48) hours during business hours.

13.3.3 Technical Support: Technical support inquiries shall receive acknowledgment within two (2) business days, with resolution timelines determined by issue complexity.

13.4 Business Hours and Availability

The Company maintains the following operational hours for communication purposes:

13.4.1 Standard Business Hours: Monday through Friday: 09:00 - 18:00 Eastern European Time (EET)

13.4.2 Technical Support Hours: Monday through Friday: 09:00 - 18:00 Eastern European Time (EET)

13.4.3 Emergency Support: Available during standard business hours for urgent matters requiring immediate attention.

13.5 Communication Guidelines

To ensure efficient processing of inquiries, users should:

13.5.1 Include relevant account information in all communications;

13.5.2 Provide clear description of inquiries or issues;

13.5.3 Specify the preferred contact method for responses;

13.5.4 Indicate any time sensitivity or urgency.

13.6 Legal Notices and Official Communications

All legal notices and official communications to the Company must be sent in writing to the registered office address or via email to [email protected]. Such communications shall be deemed received:

13.6.1 Upon actual delivery to the specified physical address;

13.6.2 Upon receipt confirmation for electronic communications;

13.6.3 Three (3) business days after posting if sent by registered mail.

13.7 Updates to Contact Information

The Company reserves the right to modify its contact information and communication procedures as necessary. Such modifications shall be:

13.7.1 Posted on the Platform;

13.7.2 Updated in relevant documentation;

13.7.3 Communicated to users when appropriate;

13.7.4 Effective upon posting or as otherwise specified.

13.8 Data Protection Inquiries

For matters specifically related to data protection and privacy:

13.8.1 Users within the European Economic Area may direct inquiries to: Email: [email protected]

13.8.2 General data protection inquiries should be sent to: Email: [email protected]

13.8.3 Requests regarding data subject rights should include "Privacy Rights Request" in the subject line.

14. Legal Basis for Processing

14.1 Overview

As a growing startup operating under European Union law, the Company processes personal information in accordance with the General Data Protection Regulation (GDPR). This section outlines the basic legal grounds that allow us to process your information.

14.2 Primary Processing Grounds

The Company primarily processes personal information based on the following grounds:

14.2.1 Contract Performance: We process your information when necessary to provide our services and fulfill our commitments to you. This includes creating your account, managing your bookings, and processing your payments.

14.2.2 Legal Requirements: We process information as required by applicable laws, such as maintaining certain business records for tax purposes.

14.2.3 Legitimate Interests: We process information for our legitimate business purposes, such as maintaining Platform security and improving our services, as long as these interests don't override your rights.

14.2.4 Your Consent: For certain optional features and marketing communications, we process information based on your explicit consent, which you can withdraw at any time by contacting [email protected].

14.3 Commitment to Growth

As our Platform grows and evolves, we are committed to:

14.3.1 Developing more sophisticated data processing practices;

14.3.2 Enhancing our documentation and procedures;

14.3.3 Implementing additional privacy controls;

14.3.4 Expanding our privacy protection measures in line with our growth.

15. Additional Rights and Information

15.1 Privacy Leadership

As a growing startup committed to user privacy, the Company manages privacy matters through its core team. Privacy-related inquiries and concerns should be directed to:

Email: [email protected] Website: https://corazon.dance

For users within the European Economic Area requiring assistance with privacy matters, our designated contact is: Gabriel Zambrano Email: [email protected] Telephone: +41 76 571 49 31

15.2 Exercise of Privacy Rights

The Company is committed to facilitating the exercise of user privacy rights in a straightforward manner:

15.2.1 Submitting Requests: To exercise any privacy rights, users should send a request to [email protected] with "Privacy Rights Request" in the subject line. The request should include:

(a) The specific right being exercised; (b) The user's account email address; (c) Any relevant details to process the request.

15.2.2 Response Timeline: The Company will acknowledge receipt of privacy rights requests within five (5) business days and process such requests within thirty (30) days. If additional time is required due to request complexity, the Company will notify the user.

15.3 Current Capabilities

As a startup focused on growth and user privacy, the Company currently provides:

15.3.1 Basic privacy controls through the Platform interface;

15.3.2 Manual processing of privacy rights requests;

15.3.3 Direct communication channels for privacy inquiries;

15.3.4 Standard security measures through our service providers.

15.4 Future Privacy Enhancements

The Company maintains a commitment to enhancing privacy protection measures as our Platform grows. Planned improvements include:

15.4.1 Development of automated privacy rights management tools;

15.4.2 Implementation of enhanced privacy controls;

15.4.3 Expansion of self-service privacy features;

15.4.4 Enhancement of privacy documentation and procedures.

15.5 Additional Information Access

Users seeking additional information about their privacy rights or the Company's privacy practices may:

15.5.1 Review the Platform's current privacy settings and controls;

15.5.2 Contact the Company through designated communication channels;

15.5.3 Request clarification about specific privacy practices;

15.5.4 Submit inquiries about planned privacy enhancements.

15.6 Changes to Privacy Rights

The Company will notify users of significant changes affecting privacy rights through:

15.6.1 Platform notifications;

15.6.2 Email communications where appropriate;

15.6.3 Updates to relevant documentation;

15.6.4 Direct communication for material changes.

15.7 Limitations and Exceptions

The Company acknowledges certain limitations in its current privacy capabilities and maintains transparency about:

15.7.1 Processing timelines for manual privacy requests;

15.7.2 Technical limitations of current privacy controls;

15.7.3 Reliance on third-party service providers for certain privacy functions;

15.7.4 Ongoing development of privacy enhancement features.

15.8 Privacy Commitment

Despite our startup status, the Company maintains a strong commitment to user privacy through:

15.8.1 Regular review of privacy practices;

15.8.2 Continuous improvement of privacy measures;

15.8.3 Open communication about privacy capabilities;

15.8.4 Responsive handling of privacy concerns.